This cartoon is about the GDPR’s lawful basis requirement to process personal data. One of the biggest differences between U.S. and EU privacy law is that in the U.S., organizations can collect and use personal data in nearly any way they choose as long as they state what they are doing in their privacy notice and follow what they say. In the EU, in contrast, the GDPR requires that organizations have a “lawful basis” to collect and process personal data. The GDPR specified six lawful bases, including consent, performance of a contract, compliance with a legal obligation, public interest, protect the vital interests of the data subject or other people, and legitimate interest in processing the data.
Many organizations use legitimate interest as their lawful basis.
Article 6(1)(f) of the GDPR provides:
1.Processing shall be lawful only if and to the extent that at least one of the following applies:
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
The ICO has some very useful guidance about what constitutes a legitimate interest under the GDPR:
The GDPR does not define what factors to take into account when deciding if your purpose is a legitimate interest. It could be as simple as it being legitimate to start up a new business activity, or to grow your business.
Because the term ‘legitimate interest’ is broad, the interests do not have to be very compelling (although in some instances they may be) and it does not rule out interests that are more trivial. An interest that could be seen as trivial or controversial could still be a legitimate interest for these purposes, although be aware they are more easily overridden in the balancing test or if the data subject objects under Article 21.
Showing that you have a legitimate interest does mean however that you (or a third party) must have some clear and specific benefit or outcome in mind. It is not enough to rely on vague or generic business interests. You must think about specifically what you are trying to achieve with the particular processing operation.
The ICO guidance further provides:
Whilst any purpose could potentially be relevant, that purpose must be ‘legitimate’. Anything illegitimate, unethical or unlawful is not a legitimate interest. For example, although marketing may in general be a legitimate purpose, sending spam emails in breach of electronic marketing rules is not legitimate.
In my opinion, the legitimate interest basis is too broad and open-ended, and it allows organizations to use personal data in a myriad of different ways without individual consent. I don’t think many uses of data are in the spirit of what the drafters of the GDPR had in mind, but without circumscribing and better defining this vague basis, the GDPR opens the door to what I’ve depicted in this cartoon – organizations using personal data when they really want to use it and cooking up some rationale to do so.
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy and data security training. He also posts at his blog at LinkedIn, which has more than 1 million followers.